From 5e12611d863f46e13421d588631471801c767241 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Mon, 11 Sep 2023 12:56:23 -0700 Subject: [PATCH] [Cloud Security] [Alerts] Workflow enhancements for Alerts in Cloud Security (#164902) Co-authored-by: Maxim Kholod --- x-pack/plugins/cloud_security_posture/public/common/types.ts | 4 ++++ .../public/components/detection_rule_counter.tsx | 4 ++-- .../utils/create_detection_rule_from_finding.ts | 5 +++++ .../utils/create_detection_rule_from_vulnerability.ts | 4 ++++ 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/cloud_security_posture/public/common/types.ts b/x-pack/plugins/cloud_security_posture/public/common/types.ts index d9bdc58cd3bb3..6ebfe7c7a0fa3 100644 --- a/x-pack/plugins/cloud_security_posture/public/common/types.ts +++ b/x-pack/plugins/cloud_security_posture/public/common/types.ts @@ -74,6 +74,10 @@ export interface RuleCreateProps { description: string; tags: string[]; max_signals: number; + investigation_fields?: { + field_names: string[]; + }; + note?: string; } export interface RuleResponse extends RuleCreateProps { diff --git a/x-pack/plugins/cloud_security_posture/public/components/detection_rule_counter.tsx b/x-pack/plugins/cloud_security_posture/public/components/detection_rule_counter.tsx index 0ee3cd24d36e1..eeea89f9a310f 100644 --- a/x-pack/plugins/cloud_security_posture/public/components/detection_rule_counter.tsx +++ b/x-pack/plugins/cloud_security_posture/public/components/detection_rule_counter.tsx @@ -111,8 +111,8 @@ export const DetectionRuleCounter = ({ tags, createRuleFn }: DetectionRuleCounte />{' '} diff --git a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts index a1f8ac3fa5fcc..b06246e6605e9 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts @@ -21,6 +21,9 @@ const DEFAULT_RULE_LICENSE = 'Elastic License v2'; const DEFAULT_MAX_ALERTS_PER_RULE = 100; const ALERT_SUPPRESSION_FIELD = 'resource.id'; const ALERT_TIMESTAMP_FIELD = 'event.ingested'; +const DEFAULT_INVESTIGATION_FIELDS = { + field_names: ['resource.name', 'resource.id', 'resource.type', 'resource.sub_type'], +}; enum AlertSuppressionMissingFieldsStrategy { // per each document a separate alert will be created @@ -126,6 +129,8 @@ export const createDetectionRuleFromFinding = async (http: HttpSetup, finding: C name: finding.rule.name, description: finding.rule.rationale, tags: generateFindingsTags(finding), + investigation_fields: DEFAULT_INVESTIGATION_FIELDS, + note: finding.rule.remediation, }, }); }; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts index 35a6147f539b2..4361bd981c308 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts @@ -25,6 +25,9 @@ const DEFAULT_MAX_ALERTS_PER_RULE = 100; const ALERT_SUPPRESSION_FIELD = 'resource.id'; const ALERT_TIMESTAMP_FIELD = 'event.ingested'; const ALERT_SEVERITY_MAP_FIELD = 'vulnerability.severity'; +const DEFAULT_INVESTIGATION_FIELDS = { + field_names: ['resource.name', 'resource.id'], +}; enum RuleSeverityMapping { Low = 'low', @@ -145,6 +148,7 @@ export const createDetectionRuleFromVulnerabilityFinding = async ( name: getVulnerabilityRuleName(vulnerability), description: vulnerability.description, tags: generateVulnerabilitiesTags(vulnerability), + investigation_fields: DEFAULT_INVESTIGATION_FIELDS, }, }); };